Jump to content

globalroot\systemroot\system32\UACpwtrwrnnuh.dll

jeepndiva

By jeepndiva
in Resolved Malware Removal Logs

 Share

Recommended Posts

jeepndiva

jeepndiva

Posted
Posted

globalroot systemroot system32 UACpwtrwrnnuh.dll

I have a Vista system that has the above problem. I ran Malwarebytes but had to rename the install file and the exe file in order to get it to run. Two files come up Trojan and rootkit.

c:\windows\system32\uacinit.dll

HKEY_LOCAL_MACHINE\SOFTWARE\UAC

Malwarebytes will not remove them, I ran dds.scr.

1st file

DDS (Ver_09-07-30.01) - NTFSx86

Run by owner at 19:02:11.27 on Mon 08/31/2009

Internet Explorer: 7.0.6000.16890

Microsoft

Attach.txt

Link to post
Share on other sites
extremeboy

extremeboy

Posted
Posted

Hello and welcome to the forum!

My name is Extremeboy, and I will help you with your log.

Please continue with running a scan with RootRepeal, followed by DDS, a scanner tool. I know you ran DDS already, so please run it again so I can see the current condition of your machine. :)

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.

  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the reportTab.png tab at the bottom.
  • Now press the btnScan.png button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    RR_checkbox.jpg
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. saveReport.png
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results soon.

    [*]Follow the instructions that pop up for posting the results and then click Ok.

    [*]The black and message box window shall then disappear.

    [*]Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Also, please provide a description of any remaining problems or symptoms you may still have please.

With Regards,

Extremeboy

Link to post
Share on other sites
jeepndiva

jeepndiva

Posted
  • Author
Posted
Hello and welcome to the forum!

My name is Extremeboy, and I will help you with your log.

Please continue with running a scan with RootRepeal, followed by DDS, a scanner tool. I know you ran DDS already, so please run it again so I can see the current condition of your machine. :)

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.

  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the reportTab.png tab at the bottom.
  • Now press the btnScan.png button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    RR_checkbox.jpg
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. saveReport.png
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results soon.

    [*]Follow the instructions that pop up for posting the results and then click Ok.

    [*]The black and message box window shall then disappear.

    [*]Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Also, please provide a description of any remaining problems or symptoms you may still have please.

With Regards,

Extremeboy

System will not run root repeal

This is the error I received

20:18:25: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x00000104)

20:18:25: DeviceIoControl Error! Error Code = 0x1e7

20:18:25: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x00000104)

Link to post
Share on other sites
extremeboy

extremeboy

Posted
Posted

Hello.

Please do not quote everything I replied in my previous reply. This causes unnecessary information/space that is not needed. Just simply use the Add Reply button to reply back to me.

--

Try GMER and if it doesn't work either, please still continue with running a new scan with DDS. Post those logs in your next reply.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.

  • Please download GMER from one of the following locations, and save it to your desktop:

    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click gmerRandomIcon.png or gmerDesktopIcon.png on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.

  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    gmerNoDialog.png

  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)

    [*]Click on btnScan.png and wait for the scan to finish.

    [*]If you see a rootkit warning window, click OK.

    [*]Push btnSave.png and save the logfile to your desktop.

    [*]Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running

*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

With Regards,

Extremeboy

Link to post
Share on other sites
jeepndiva

jeepndiva

Posted
  • Author
Posted

Contents of the GMER file

GMER 1.0.15.15077 [c53yhuio.exe] - http://www.gmer.net

Rootkit scan 2009-09-02 20:44:08

Windows 6.0.6000

---- System - GMER 1.0.15 ----

Code 85591010 ZwEnumerateKey

Code 85591088 ZwFlushInstructionCache

Code 8552F7FD IofCallDriver

Code 8558892E IofCompleteRequest

Code 8559104D ZwSaveKey

Code 8558EEA5 ZwSaveKeyEx

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACjvdncdcjeq.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [344] 0x10000000

Library \\?\globalroot\systemroot\system32\UACjvdncdcjeq.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [680] 0x014E0000

Library \\?\globalroot\systemroot\system32\UACimjhhitadg.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [680] 0x01660000

Library \\?\globalroot\systemroot\system32\UACjvdncdcjeq.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [756] 0x10000000

Library \\?\globalroot\systemroot\system32\UACimjhhitadg.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [756] 0x006E0000

Library \\?\globalroot\systemroot\system32\UACjvdncdcjeq.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [788] 0x10000000

Library \\?\globalroot\systemroot\system32\UACimjhhitadg.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [788] 0x008D0000

Library \\?\globalroot\systemroot\system32\UACjvdncdcjeq.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [904] 0x10000000

Library \\?\globalroot\systemroot\system32\UACimjhhitadg.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [904] 0x008D0000

Library \\?\globalroot\systemroot\system32\UACjvdncdcjeq.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [928] 0x10000000

Library \\?\globalroot\systemroot\system32\UACimjhhitadg.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [928] 0x008D0000

Library \\?\globalroot\systemroot\system32\UACjvdncdcjeq.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [992] 0x10000000

Library \\?\globalroot\systemroot\system32\UACimjhhitadg.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [992] 0x008D0000

Library \\?\globalroot\systemroot\system32\UACjvdncdcjeq.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1016] 0x10000000

Library \\?\globalroot\systemroot\system32\UACimjhhitadg.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1016] 0x00C60000

Library \\?\globalroot\systemroot\system32\UACjvdncdcjeq.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1148] 0x10000000

Library \\?\globalroot\systemroot\system32\UACimjhhitadg.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1148] 0x00C60000

Library \\?\globalroot\systemroot\system32\UACjvdncdcjeq.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1300] 0x10000000

Library \\?\globalroot\systemroot\system32\UACimjhhitadg.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1300] 0x008D0000

Library \\?\globalroot\systemroot\system32\UACpwtrwrnnmh.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [1356] 0x013B0000

Library \\?\globalroot\systemroot\system32\UACjvdncdcjeq.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [1392] 0x10000000

Library \\?\globalroot\systemroot\system32\UACjvdncdcjeq.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1532] 0x10000000

Library \\?\globalroot\systemroot\system32\UACimjhhitadg.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1532] 0x008D0000

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 03: copy of MBR

Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 05: copy of MBR

Disk \Device\Harddisk0\DR0 sector 06: copy of MBR

Disk \Device\Harddisk0\DR0 sector 07: copy of MBR

Disk \Device\Harddisk0\DR0 sector 08: copy of MBR

Disk \Device\Harddisk0\DR0 sector 09: copy of MBR

Disk \Device\Harddisk0\DR0 sector 10: copy of MBR

Disk \Device\Harddisk0\DR0 sector 11: copy of MBR

Disk \Device\Harddisk0\DR0 sector 12: copy of MBR

Disk \Device\Harddisk0\DR0 sector 13: copy of MBR

Disk \Device\Harddisk0\DR0 sector 14: copy of MBR

Disk \Device\Harddisk0\DR0 sector 15: copy of MBR

Disk \Device\Harddisk0\DR0 sector 16: copy of MBR

Disk \Device\Harddisk0\DR0 sector 17: copy of MBR

Disk \Device\Harddisk0\DR0 sector 18: copy of MBR

Disk \Device\Harddisk0\DR0 sector 19: copy of MBR

Disk \Device\Harddisk0\DR0 sector 20: copy of MBR

Disk \Device\Harddisk0\DR0 sector 21: copy of MBR

Disk \Device\Harddisk0\DR0 sector 22: copy of MBR

Disk \Device\Harddisk0\DR0 sector 23: copy of MBR

Disk \Device\Harddisk0\DR0 sector 24: copy of MBR

Disk \Device\Harddisk0\DR0 sector 25: copy of MBR

Disk \Device\Harddisk0\DR0 sector 26: copy of MBR

Disk \Device\Harddisk0\DR0 sector 27: copy of MBR

Disk \Device\Harddisk0\DR0 sector 28: copy of MBR

Disk \Device\Harddisk0\DR0 sector 29: copy of MBR

Disk \Device\Harddisk0\DR0 sector 30: copy of MBR

Disk \Device\Harddisk0\DR0 sector 31: copy of MBR

Disk \Device\Harddisk0\DR0 sector 32: copy of MBR

Disk \Device\Harddisk0\DR0 sector 33: copy of MBR

Disk \Device\Harddisk0\DR0 sector 34: copy of MBR

Disk \Device\Harddisk0\DR0 sector 35: copy of MBR

Disk \Device\Harddisk0\DR0 sector 36: copy of MBR

Disk \Device\Harddisk0\DR0 sector 37: copy of MBR

Disk \Device\Harddisk0\DR0 sector 38: copy of MBR

Disk \Device\Harddisk0\DR0 sector 39: copy of MBR

Disk \Device\Harddisk0\DR0 sector 40: copy of MBR

Disk \Device\Harddisk0\DR0 sector 41: copy of MBR

Disk \Device\Harddisk0\DR0 sector 42: copy of MBR

Disk \Device\Harddisk0\DR0 sector 43: copy of MBR

Disk \Device\Harddisk0\DR0 sector 44: copy of MBR

Disk \Device\Harddisk0\DR0 sector 45: copy of MBR

Disk \Device\Harddisk0\DR0 sector 46: copy of MBR

Disk \Device\Harddisk0\DR0 sector 47: copy of MBR

Disk \Device\Harddisk0\DR0 sector 48: copy of MBR

Disk \Device\Harddisk0\DR0 sector 49: copy of MBR

Disk \Device\Harddisk0\DR0 sector 50: copy of MBR

Disk \Device\Harddisk0\DR0 sector 51: copy of MBR

Disk \Device\Harddisk0\DR0 sector 52: copy of MBR

Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 54: copy of MBR

Disk \Device\Harddisk0\DR0 sector 55: copy of MBR

Disk \Device\Harddisk0\DR0 sector 56: copy of MBR

Disk \Device\Harddisk0\DR0 sector 57: copy of MBR

Disk \Device\Harddisk0\DR0 sector 58: copy of MBR

Disk \Device\Harddisk0\DR0 sector 59: copy of MBR

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

Contents of the dds file

DDS (Ver_09-07-30.01) - NTFSx86

Run by owner at 20:52:30.07 on Wed 09/02/2009

Internet Explorer: 7.0.6000.16890

Microsoft

Attach.txt

Link to post
Share on other sites
extremeboy

extremeboy

Posted
Posted

Hello.

The UAC rootkit is still there. Let's start with Combofix.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:

ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.

Link 1

Link 2

Please refer to this page for full instructions on how to run ComboFix.

  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.

Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

~Extremeboy

Link to post
Share on other sites
extremeboy

extremeboy

Posted
Posted

Hello.

Combofix removed the UAC rootkit.

Please read the information below on rootkits and let me know what you decide to do here.

Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

If you wish to continue, follow the steps below:

I would like you to run a GMER scan for me.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.

  • Please download GMER from one of the following locations, and save it to your desktop:

    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click gmerRandomIcon.png or gmerDesktopIcon.png on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.

  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    gmerNoDialog.png

  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)

    [*]Click on btnScan.png and wait for the scan to finish.

    [*]If you see a rootkit warning window, click OK.

    [*]Push btnSave.png and save the logfile to your desktop.

    [*]Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running

*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Also, try if Malwarebytes now work properly...

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 1

  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware

    [*]Then click Finish.

    [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

    [*]On the Scanner tab:

    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.

    [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

    [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

    [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

    [*]Click OK to close the message box and continue with the removal process.

    [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.

    [*]Make sure that everything is checked, and click Remove Selected.

    [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

    [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

    [*]Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

With Regards,

Extremeboy

Link to post
Share on other sites
jeepndiva

jeepndiva

Posted
  • Author
Posted

Contents of new GMER file.... ran in safe mode, would not run normally. Also ran malwarebytes in normal mode found 7 issues. Trojan.Agents (4) and Rootkit.TDSS (3). I have not hit the remove selected yet, advise if you want me to remove them. Thanks

GMER 1.0.15.15077 [x4qcxsxj.exe] - http://www.gmer.net

Rootkit scan 2009-09-03 13:03:50

Windows 6.0.6000

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x8070E282]

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x8070E474]

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x8070DF32]

SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0x8AB4D384]

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x8070E67C]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites
extremeboy

extremeboy

Posted
Posted

Hello.

Also ran malwarebytes in normal mode found 7 issues. Trojan.Agents (4) and Rootkit.TDSS (3). I have not hit the remove selected yet, advise if you want me to remove them. Thanks

Yes. Remove those as instructed in my previous post and then post the log for my review.

Also, please re-run DDS for me and post the logs here once they are done. Refer to here for downloading and running DDS.

Could you re-run GMER again for me please. This time, ONLY CHECK the Registry section and run the scan. Post the log once that's done as well.

Is your computer running better now?

Thanks.

~Extremeboy

Link to post
Share on other sites
jeepndiva

jeepndiva

Posted
  • Author
Posted

Malwarebytes file

Malwarebytes' Anti-Malware 1.40

Database version: 2736

Windows 6.0.6000

9/3/2009 2:35:58 PM

mbam-log-2009-09-03 (14-35-58).txt

Scan type: Full Scan (C:\|)

Objects scanned: 213800

Time elapsed: 50 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Alwil Software\Avast4\DATA\moved\uac80b3.tmp.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Alwil Software\Avast4\DATA\moved\uacjvdncdcjeq.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Windows\System32\UACfyibbmqgvr.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Windows\System32\UACimjhhitadg.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Windows\System32\UACjvdncdcjeq.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Windows\System32\UACpwtrwrnnmh.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Windows\System32\drivers\UACfjxnxpdmho.sys.vir (Trojan.Agent) -> Quarantined and deleted successfully.

DDS file logs (2)

DDS (Ver_09-07-30.01) - NTFSx86

Run by owner at 14:50:18.58 on Thu 09/03/2009

Internet Explorer: 7.0.6000.16890

Microsoft

Link to post
Share on other sites
extremeboy

extremeboy

Posted
Posted

Hello again.

We are going to run Combofix again with a CFScript. Please make sure ALL your security programs are disabled properly before executing the CFScript.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    CFScriptB-4.gif
    Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

With Regards,

Extremeboy

Link to post
Share on other sites
extremeboy

extremeboy

Posted
Posted

Looks good.

Let's update Java here and run an online scan.

Update Java to Version 6 Update 16

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.

-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.

-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the kaspersky_scan_now.gif button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Kasaccept.png button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the KasperskySettings.png ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Kassave.png button, if you made any changes.

    [*]Now under the Scan section on the left:

    Select My Computer

    [*]The program will now start and scan your system. This will run for a while, be patient and let it finish.

    [*]Once the scan is complete, click on View scan report

    [*]Now, click on the Save Report as button.

    [*]Save the file to your desktop.

    [*]Copy and paste that information in your next post.

You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,

Extremeboy

Link to post
Share on other sites
GlennK

GlennK

Posted
Posted

WoW! I have this issue on my computer. It is however not removed and keeps coming back. Is there an easy way to fix this???

It reports as Rootkit.TDSS

For the moment it does not appear to be affecting the operation of my system.

Malwarebytes' Anti-Malware 1.40

Database version: 2738

Windows 5.1.2600 Service Pack 3

03/09/2009 8:21:03 PM

mbam-log-2009-09-03 (20-21-03).txt

Scan type: Quick Scan

Objects scanned: 103917

Time elapsed: 11 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmrnmnenkr (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites
extremeboy

extremeboy

Posted
Posted

Hello.

Run ESET scan instead:

Run ESET Online Scan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    2. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    3. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    4. Check esetAcceptTerms.png
    5. Click the esetStart.png button.
    6. Accept any security warnings from your browser.
    7. Check esetScanArchives.png
    8. Push the Start button.
    9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    10. When the scan completes, push esetListThreats.png
    11. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    12. Push the esetBack.png button.
    13. Push esetFinish.png

      You can refer to this animation by neomage if needed.
      Run Malwarebytes again and see if it still detects that.
      ~Extremeboy
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.